Both NTLM and LM hashes are one-way hashes of passwords, i.e. each password has one and only one corresponding hash and there is no function able to reverse the hash to retrieve the password.
There are possibilities of collision, i.e., a given hash may correspond to more than one password, which means that different passwords would allow you to log in into the same account on a computer - still, no one ever found a collision either for NTLM or for LM hashes.
Now, note the following points about LM hashes:
- unThey are not used anymore since Windows XP.
- Windows passwords are assumed encoded in the System OEM Code Page (this will be the number you get on a command prompt when you type chcp. In the US this number will usually be 437).
- LM hashes are easy to crack particularly when the corresponding passwords consist only of printable characters (ASCII 32 to 127).
- They are more difficult to crack when the full 8-bit range of the Code Page is used.
- Since 8-bit characters are not Unicode characters, after character ASCII 127 their representation and meaning depend on the System OEM Code Page. This means that 2 different passwords may have the same LM hash when the ASCII characters are the same but the Code Pages are different - this looks like a collision, but is not.
- According to the rules, LM hashes are only calculated for passwords up to 14 characters long.
And note the following points about NTLM hashes:
- In general, Windows passwords with more than 8 characters are extremely difficult to crack in useful time when they consist of a mix of alpha, numeric, symbols and international (unicode) characters.
- The NTLM hash is calculated after all characters are Unicode encoded (even those that you can type directly on the keyboard).
- Since Unicode is supported when calculating NTLM hashes you may render your password nearly uncrackable by inserting on it international characters and weird symbols like ☺.
- Rainbow Tables crack pretty well when passwords consist only of ASCII characters, but fail miserably when passwords contain international characters or weird symbols.
What can you do here then?
- You can calculate LM and NTLM hashes for whatever purpose you have in mind (if you have no idea, then skip to the next point).
- For most people, the most important thing they can do here is: Check whether a given Windows Password is already in our giant Online Database that contains more than 5 billion passwords from published lists of easy passwords, common password, English and foreign language dictionary words, foreign language common passwords, and also compilation of short passwords built according to various strategies. If it is there, and it is your password, this is bad news for you, better you change it ASAP.
- By default, if a password is not in our database, it will be added. So the next time someone looks for it it will be there.
- If you are testing a password for your own use, uncheck Don't Add to Database before testing, so it will be dropped and not added to the Database.
- Currently, we are only adding to the Database passwords with a length up to 20 characters (the Database already contains tens of millions of passwords with more than 20 characters), but will calculate hashes for passwords up to 127 characters and will report if the password is already in the Database.